In 17 November 2020 the TPB released some Question and Answer comments on Cloud computing and confidentiality as a result of questions received during the webinar.
There are a couple of very interesting answers that will surprise most accountants.
It’s worth also referring to the TPB practice note TPB(PN) 1/2017 on Cloud computing and the Code of Professional Conduct which notes it is important to be mindful of Code Item 6 which provides that a registered practitioner must not disclose any information relating to a client’s affairs to a third party without the client’s permission, unless there is a legal duty to do so.
Going back to the Q&A session there are a couple of interesting comments.
What happens when a client has set-up cloud-based accounting software that the tax practitioner then uses?
The TPB response was: If the tax practitioner is inputting (and as such, disclosing) client information, they still have a responsibility to obtain the client’s consent to disclose the information to the third party (in this case, the cloud service provider) disclosure is authorised and should take into account the considerations set out in our cloud computing Practice Note.
Comment: It appears that if (for example) the client has a bookkeeping file, and the accountant is required to enter adjusting journal entries into this file, that it is the responsibility of the accountant to have the client’s consent to key that data into the software (that the client setup!)
Are Virtual Private Networks (VPN’s) no longer secure?
The TPB response was: VPNs seem like the perfect tool for the job – they encrypt and anonymise our data, keeping it secure and away from prying eyes. But things can get complicated, any technology poorly implemented or maintained can create security risks that the user didn’t intend. It’s worth ensuring you have engaged a trustworthy partner to help with your cloud security solutions. If you see something or aren’t sure about your or your client’s security, it’s important to ask.
Comment: Where accountants are deploying (security) technology that is known to be deficient and a data loss occurs, not only are they legally responsible to report the data loss, but there is also the question of culpability and responsibility for loss i.e. negligence.
In relation to Code item 6, does this mean that if I invite my software company in via remote access to support an issue I will be in breach as they potentially have access to client data? If so, how do I deal with this?
You will need your client’s permission before disclosing any information to a third party, which would include a software company in this scenario.
Comment: As software companies may theoretically have access to any client information, then it is likely the responsibility of the accounting firm to have a clause noting the software company may access their data. The complexity will arise if some clients opt out of allowing the software company to access their data.
We hope you enjoyed this blog, and remember if you need assistance with your outsourced Australian tax compliance work then please drop us a line.